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Problem  Studied 


Message  authentication  is  used  to 
confirm  the  integrity  of  a  message  and 
the  authenticity  of  its  sender. 

Conventionally,  message  authentication 

is  an  application  layer  problem. 

For  the  class  of  communications  systems 
considered  here,  we  present  message 
authentication  solutions  that  work  at  the 

physical  layer. 
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Why? 

Primary  reason  to  consider  the  physical 
layer  is  to  reduce  communications  costs 

-  Saves  power 

-  Fewer  bits  or  chips  needed 

-  Better  control  over  false  acceptance  versus 
false  rejection  tradeoff 


NATO  Crosslayer  Workshop  -  June  2-3,  2004 


APPROVED  FOR  PUBLIC  RELEASE 


Spread  Spectrum  Communication 

•  Widely  used,  especially  in  military 
communications 

•  Each  bit  is  represented  by  multiple  chips 

•  Sender  and  receiver  use  same  chip 
sequence  to  construct  bits 

•  Spreading  gain  is  the  number  of  chips 
per  bit. 
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Example:  Spread  Spectrum 


Input  bits 


Chips 


Resultant 

Waveform 
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Conventional  MAC'S 


A  Message  Authentication  Code  (MAC) 
is  a  sequence  of  bits  that  depends  on 
message  and  secret  key 

Since  only  sender  and  receiver  know 
key,  only  sender  and  receiver  can  create 
correct  MAC 

In  wired  networks,  MAC'S  are  128  or 
more  bits  long 

In  wireless  networks,  MAC'S  can  be 
much  shorter 
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Minitag  Idea 

Our  idea,  which  we  call  a  minitag,  is  to 
use  a  sequence  of  chips,  not  bits,  to 
represent  the  MAC. 

The  MAC  will  consist  of  many  chips,  but 
not  all  have  to  be  received  correctly 

(Good  thing,  since  chip  error  rate  is 
much  higher  than  bit  error  rate.) 
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Message  Authentication  at 

Sender 

•  Sender  computes  tag  using  secret  key 
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Authentication  at  Receiver 


Receiver  computes  tag: 
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Compare  Tags  to  Verify 

•  Receiver  compares  tags  to  verify 
message  authentication: 
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Minitag  Analysis 

•  If  message  is  correct,  then  all  chips 
agree  (except  for  noise) 

•  If  message  is  false,  then  chips  disagree 
with  probability  0.5 

•  Assume  Gaussian  noise  with  variance 
depending  on  SNR 

•  Hypothesis  becomes:  choose  between 
(0.5)n  and  p'(1-p)m  where  /  =  #  errors, 
m  =  #  correct,  p  =  chip  error  probability 
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Chip  Error  Rate 

P(Chip  Error)  vs.  BER 

For  various  value  of  chips  per  bit 
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Mintag  Length  vs.  P(False  Accept) 

Mini-tag  Length  vs.  P(False  Alarm) 


BER  from  le-8  to  le-3.  Coding  gain  =  64 


Pi  False  Alarm) 
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Example:  IS-95  CDMA 

•  Assume  BER  =  0.001  (before  ECC), 
coding  gain  =  64,  rate  1/2  ECC 

•  For  1e-7  security,  a  conventional  tag 
needs  24  bits 

•  Chips  needed  =  24  *  2  *  64  =  3072 

•  Minitag  needs  195  chips,  a  savings  of 
almost  two-thirds 
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Soft  Decision  Minitag 

•  Can  use  soft  decision  decoding 

•  Treat  each  chip  as  a  Gaussian  RV 

•  If  message  is  correct,  all  means  =  -1 

•  If  message  is  false,  means  randomly 
alternate  between  -1  and  1 

•  Use  central  limit  theorem  for  analysis 
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Densities 


Loa  Likelihood  Ratio 

Densities  Under  HO  and  HI 

And  Log  Likelihood  Ratio 
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Log  Likelihood  Ratio 


Soft  Decision  Performance 

Continuing  IS-95  example,  chips  needed 
reduced  to  about  774,  a  savings  of 
almost  a  factor  of  4  from  the  original. 
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Conclusions 

By  considering  authentication  at  physical 
layer,  reduced  communications  cost  for 
message  authentication  by  about  2/3  to 
3/4 

Furthermore,  we  can  tune  false 
acceptance  and  false  rejection 
probabilities 

Future  work  improving  and  extending  to 
other  communication  scenarios. 
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DSSS  Work 


•  At  last  year's  review,  presented  work 
using  a  “minitag”  for  authentication. 

•  The  minitag  used  chips,  not  bits,  by 
altering  the  spreading  sequence. 

•  Eg.  Assuming  coding  gain  of  64, 
BER=1e-3,  false  alarm  and  miss 
probabilities  =  1e-7,  rate=1/2  ECC, 

-Conventional  needs  3072  chips 
-  Minitag  needs  1195  chips 
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Current  Work  on  Minitag 

Extending  to  soft  decision. 

Ex.,  can  reduce  chip  length  to  772  chips, 
a  factor  of  4  reduction  from  original  3072 
chips. 

(Problem  is  that  our  analysis  uses  the 
central  limit  theorem,  which  may  be 
inaccurate  at  the  very  small  probabilities 
needed  here.) 
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New  Work 


•  Message  authentication  is  a  one  bit 
process: 

Essentially,  one  decides  whether  or  not 
the  message  is  authentic. 

•  Also,  want  to  extend  to  other  modulation 
schemes,  not  just  DSSS. 
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Idea:  Treat  bits  as  a  group 

Send  n  bits  as  a  group.  Make  a  single 
decision  on  the  group. 

Can  do  hard  or  soft  decision  of  each  bit 
in  the  group. 

Advantages:  simplicity,  better 
performance  than  other  methods,  applies 
to  many  modulation  methods. 
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Traditional  vs.  Soft-Decision 
Message  Authentication 


Soft-Decision  Message  Authentication 
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Hard  Bit  Tag 

Normally  one  specifies  PfFalse  Accept), 
e.g.,  2**-s  for  s  bits  of  “power” 

Then  one  minimizes  P(False  Reject). 

Instead  of  doing  ECC,  do  the  following: 

-Transmit  n  tag  bits 

-  If  k  or  fewer  errors,  accept;  else,  reject. 

Example:  48  bits  of  power  can  be 
achieved  with  (n,k)=(48,0),  (54,1),  (59,2), 
(64,3),  (68,4),  etc. 
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Pr(FR) 


Hard  Bit  Tag  Performance 
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Pr(FR) 


Hard  Tag  Detailed  Performance 
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Pr(FR) 


Hard  Tag  vs.  ECC 
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Hard  Bit  Tag  (ctd.) 

Hard  Bit  Tag  is  extremely  simple  to 
implement:  Generate  n  bits  and  count  the 
number  of  bits  in  error. 

The  Hard  Bit  Tag  will  outperform  any 
(hard  decision)  ECC  based  scheme  of 
same  length. 
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Soft  T  ag 

•  Instead  of  hard  decoding  each  bit,  do 
soft  decoding. 

•  If  message  is  correct,  X~N(-1,  o2) 

•  If  message  is  incorrect, 

X~0.5N(-1,  <y*)+0.5N(1,  o2) 

•  Log  likelihood  ratio  is  l(X)  =  log(eaX+1)/a 

•  Where  a=2/o2 
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Soft  Tag  Performance 

•  Use  numerical  techniques  to  compute 
density  of  i(X) 

•  Convolve  to  get  density  of  sum  of  !(X) 

•  Difficult  computation  since  desired  error 
probabilities  are  very  small,  e.g., 
2**-32=2e-1 0,  2**-48=3e-15 
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Pr(FR) 


Soft  Tag  Performance 
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Message  Authentication  via  Non- 
Spread  Soft-Decision  Decoding 

•  Original  concept  reduced  tag  size  and 
increased  tag  reliability  by  performing  hard- 
decision  decoding  of  new  spread  spectrum- 
based  waveforms 

•  Problem:  Some  communications  systems  may 
not  be  amenable  to  spreading  or  the  burden  of 
cross-layer  packet  decoding 

•  Alternate  goal:  Apply  message  authentication 
in  such  a  way  that  is  more  generalizable 

•  Concept:  Perform  soft-decision  decoding  of  a 
traditional  uncoded  message  authentication  tag 
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Soft-Decision  Decoding  Approach 

•  Traditional  Approach: 

-  Demodulate,  soft/hard  decode,  hard  correct  message 
and  tag  bits 

-  Verify  using  hard-corrected  message  and  tag  bits 

•  Do  computed  and  received  tags  match  bit-for-bit? 

•  Soft-Decision  Decoding  Approach: 

-  Demodulate,  soft  decode,  hard  correct  message  bits 

-  Verify  using  hard-corrected  message  and  soft- 
decoded  tag  bits 

•  Do  computed  and  received  tag  bit  values  match  “close 
enough”? 
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Soft-Decision  Verification  Security 


•  Two  ways  soft-decision  verification  can 
incorrectly  mark  a  incorrect  message  as 
authentic  (false  accept  failure): 

-  Failure  1.  Incorrectly  received  message  results  in 
the  receiver  computing  a  hard-decision  MAC  tag 
that  is  a  hard  bit-for-bit  match  (“collision”)  with  the 
received  authentication  tag  (same  as  traditional 
message  authentication  risk) 

-  Failure  2.  Incorrectly  received  message  results  in 
the  receiver  computing  a  hard-decision  MAC  tag 
that  is  not  a  hard  bit-for-bit  match,  but  using  soft- 
decision  verification  is  “close  enough” 

•  Our  Security  Approach 

-  Make  sure  probability  of  either  of  the  two  events  is 
less  than  the  desired  probability  of  forgery 


NATO  Crosslayer  Workshop  -  June  2-3,  2004 


APPROVED  FOR  PUBLIC  RELEASE 


35 


Addressing  “Hard”  Collision  Security 


•  To  guarantee  resilience  against 
traditional  collisions  (Failure  1),  we 
propose  to  generate  and  verify  an 
authentication  tag  that  contains  at  least 
rimjn  bits,  where: 

Desired  Pr(False  Accept)  =  2~n . - 

Example: 

If  the  Desired  Pr(False  Accept)  =  2'48,  then 
nmin  =  48  bits 

•  Total  tag  size  is  n  =  nmin  +  n’ 
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Addressing  “Soft”  Collision  Security 


•  To  guarantee  resilience  against  soft-decision 
collisions  (Failure  2),  we  propose  to  generate 
and  verify  an  authentication  tag  that  contains: 

n  =  nmjn  +  n’  bits 

•  Next  we  determine  n’ 

•  Our  soft-decision  must  evaluate  two 
hypotheses: 

H0  (authentic):  X;  ~  A/(1 ,  a2) 

H.|  (not  authentic):  Xs  ~  0.5*A/(1,  o2)  +  0.5*A/(-1,  a2) 

•  where  X  is  an  unbounded  continuous  value  where  1 
indicates  that  the  received  and  computed  bits  match,  and 
-1  indicates  that  they  do  not  match 

•  02  is  dependent  on  the  signal-to-noise  ratio 
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Sample  Means  for  the  Two 

Hypotheses 

•  As  a  practical  matter,  Xj  will  be  bounded  by  1 
to  -1 ,  so  revise  H0  s.t.: 

_q  =  (1-.68*G2)  (assuming  BPSK) 

•  Mean  of  H0  for  all  n  samples  is: 

n_0  =  ri*(1-.68*o2) 

and  for  H1  , 

n—1  ~  0 

•  However,  the  worse  case  forgery  condition  is 
a  hard-decision  bit-by-bit  collision,  so  to  be 
conservative,  set 

n-i=nminV--68V) 
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Setting  the  Verification  Threshold 


•  The  simplistic  approach  is  to  set  the 
threshold  at  the  midpoint  between  the 
means  of  the  two  hypotheses,  this  way 
the  false  accept  (verify  bad  message) 
and  false  reject  (reject  good  message) 
rates  of  the  verification  function  are  the 
same 


•  Thus,  the  threshold  is: 

t  =  _  *  (  n—0  +  n—1  ) 

t  =  nmjn  +  n’  *  (1-.68*<£)  /  2 
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Authentication  Tag  Size 
Determination 

•  Since  we  are  assuming  AWGN  and 
normal  distribution,  the  z  value  that 
corresponds  to  a  probability  of  forgery  of 
2~48  is  7. 79 

•  Thus, 

n’*(1-.68*o2)l2  =  7.79  *a2 

•  Solving  for  n’: 

n’=  2*7.79  V 

(T-.68VJ 
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Example  of  Traditional  Method 


•  Assume  we  wish  to  authenticate  a  16- 
bit  message  with  probability  of  forgery 
per  attempt  of  2'48 

•  Traditional  method: 

-  Generate  and  append  48-bit  MAC  tag 

-Generate  and  append  63  parity  bits  using  a 
Binary  BCH  block  code  with  n  =  127,  k  = 

64,  t  =  10  errors 

-Communicate  127  bits 
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Example  of  Soft-Decision 
Authentication  Method 

•  First,  determine  n’  by  selecting  the 
worst  signal-to-noise  ratio  that  would  we 
expect  to  verify  messages 

-Since  the  (n=127,k=64,t=10)  BCH  code 
can  correct  up  to  10  errors,  assume  our 
worst  case  probability  of  bit  error: 

pE=  10.5/127  =  .083 

-  For  BPSK,  Et/N0  =  -.  15  dB 

-Thus,  n’  =  ceiling  (12.45)  =  13  bits 
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Soft-Decision  Message  Composition 


So  for  the  same  16-bit  message  and  probability 
of  forgery  =  2'48 : 

-  Reduced  packet  size  approach: 

•  Generate  and  append  a  48+13  =  61  bit  MAC  tag 

•  Generate  and  append  15  bits  using  a  (n=31,  k=16,  t=3)  Binary 
BCH  code 

•  Communicate  92  bits 

•  Less  bits  than  traditional  method  with  at  least  same 
security  and  modestly  better  reliability 

-  Increased  packet  reliability  approach: 

•  Generate  and  append  a  48+16  =  64  bit  MAC  tag 

•  Generate  and  append  47  bits  using  a  (n=63,  k=16,  t=11) 
Binary  BCH  code 

•  Communicate  127  bits 

•  Same  bits  as  traditional  method  with  at  least  same 
security  and  much  better  packet  reliability 
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Soft-Decision  Authentication  Plans 

•  Remainder  of  FY04 

-  Analytically  examine  the  soft-decision 
authentication  approach  for  various 

•  Bit/packet  error  rates 

•  Packet/message  sizes 

•  Security  levels 

-  Simulate  the  soft-decision  authentication  approach 
for  various 

•  Bit/packet  error  rates 

•  Packet/message  sizes 

•  Security  levels 
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Output 

•  Submitted  paper  to  Milcom  (acceptance 
pending),  paper  to  NATO  workshop 
(accepted). 

•  In  process  of  writing  1-3  journal  articles. 

•  Developing  software  to  analyze  and 
simulate  these  tags. 
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